qemu: fix multple CVEs

import patches from ubuntu to fix CVE-2020-15469 CVE-2020-15859 CVE-2020-17380 CVE-2020-35504 CVE-2020-35505 CVE-2021-3409 CVE-2022-26354 https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches?h=ubuntu/focal-security Combine patches for both CVE-2020-25085 and CVE-2021-3409 also fix CVE-2020-17380. so mark CVE-2020-17380 fixed by CVE-2021-3409 patches. CVE-2020-17380 patch backported since oecore rev 6b4c58a31ec11e557d40c31f2532985dd53e61eb. (From OE-Core rev: 3ee2e9027d57dd5ae9f8795436c1acd18a9f1e24) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chee Yang Lee <chee.yang.lee@intel.com> 2023-03-21 11:40:23 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-04-01 20:23:23 +0100
commit: 72707c04e10248640328dd39afe55ba08195965d (patch)
tree: 9d675807dc06d19e792546938aa2e5f929092490 /meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch
parent: f76c7b8e6366129a2550417ed6f091717d897a81 (diff)
download: poky-72707c04e10248640328dd39afe55ba08195965d.tar.gz
1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch
new file mode 100644
index 0000000000..49c6c5e3e2
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch
@@ -0,0 +1,53 @@
+From b5bf601f364e1a14ca4c3276f88dfec024acf613 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 11 Aug 2020 17:11:29 +0530
+Subject: [PATCH] nvram: add nrf51_soc flash read method
+Add nrf51_soc mmio read method to avoid NULL pointer dereference
+issue.
+Reported-by: Lei Sun <slei.casper@gmail.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-Id: <20200811114133.672647-6-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+CVE: CVE-2020-15469
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b5bf601f364e1a14ca4c3276f88dfec024acf613 ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/nvram/nrf51_nvm.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+diff --git a/hw/nvram/nrf51_nvm.c b/hw/nvram/nrf51_nvm.c
+index f2283c1..7b3460d 100644
+--- a/hw/nvram/nrf51_nvm.c
+++ b/hw/nvram/nrf51_nvm.c
+@@ -273,6 +273,15 @@ static const MemoryRegionOps io_ops = {
+         .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+ 
+static uint64_t flash_read(void *opaque, hwaddr offset, unsigned size)
+{
+    /*
+     * This is a rom_device MemoryRegion which is always in
+     * romd_mode (we never put it in MMIO mode), so reads always
+     * go directly to RAM and never come here.
+     */
+    g_assert_not_reached();
+}
+ 
+ static void flash_write(void *opaque, hwaddr offset, uint64_t value,
+         unsigned int size)
+@@ -300,6 +309,7 @@ static void flash_write(void *opaque, hwaddr offset, uint64_t value,
+ 
+ 
+ static const MemoryRegionOps flash_ops = {
+    .read = flash_read,
+     .write = flash_write,
+     .valid.min_access_size = 4,
+     .valid.max_access_size = 4,
+-- 
+1.8.3.1
author	Chee Yang Lee <chee.yang.lee@intel.com>	2023-03-21 11:40:23 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-04-01 20:23:23 +0100
commit	72707c04e10248640328dd39afe55ba08195965d (patch)
tree	9d675807dc06d19e792546938aa2e5f929092490 /meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch
parent	f76c7b8e6366129a2550417ed6f091717d897a81 (diff)
download	poky-72707c04e10248640328dd39afe55ba08195965d.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch new file mode 100644 index 0000000000..49c6c5e3e2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch
@@ -0,0 +1,53 @@
	1	From b5bf601f364e1a14ca4c3276f88dfec024acf613 Mon Sep 17 00:00:00 2001
	2	From: Prasad J Pandit <pjp@fedoraproject.org>
	3	Date: Tue, 11 Aug 2020 17:11:29 +0530
	4	Subject: [PATCH] nvram: add nrf51_soc flash read method
	5
	6	Add nrf51_soc mmio read method to avoid NULL pointer dereference
	7	issue.
	8
	9	Reported-by: Lei Sun <slei.casper@gmail.com>
	10	Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
	11	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	12	Reviewed-by: Li Qiang <liq3ea@gmail.com>
	13	Message-Id: <20200811114133.672647-6-ppandit@redhat.com>
	14	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	15
	16	CVE: CVE-2020-15469
	17	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b5bf601f364e1a14ca4c3276f88dfec024acf613 ]
	18	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	19	---
	20	hw/nvram/nrf51_nvm.c \| 10 ++++++++++
	21	1 file changed, 10 insertions(+)
	22
	23	diff --git a/hw/nvram/nrf51_nvm.c b/hw/nvram/nrf51_nvm.c
	24	index f2283c1..7b3460d 100644
	25	--- a/hw/nvram/nrf51_nvm.c
	26	+++ b/hw/nvram/nrf51_nvm.c
	27	@@ -273,6 +273,15 @@ static const MemoryRegionOps io_ops = {
	28	.endianness = DEVICE_LITTLE_ENDIAN,
	29	};
	30
	31	+static uint64_t flash_read(void *opaque, hwaddr offset, unsigned size)
	32	+{
	33	+ /*
	34	+ * This is a rom_device MemoryRegion which is always in
	35	+ * romd_mode (we never put it in MMIO mode), so reads always
	36	+ * go directly to RAM and never come here.
	37	+ */
	38	+ g_assert_not_reached();
	39	+}
	40
	41	static void flash_write(void *opaque, hwaddr offset, uint64_t value,
	42	unsigned int size)
	43	@@ -300,6 +309,7 @@ static void flash_write(void *opaque, hwaddr offset, uint64_t value,
	44
	45
	46	static const MemoryRegionOps flash_ops = {
	47	+ .read = flash_read,
	48	.write = flash_write,
	49	.valid.min_access_size = 4,
	50	.valid.max_access_size = 4,
	51	--
	52	1.8.3.1
	53